No, they don't even load by it default
And it's not considered good practice to enable them on a public ip. The glaring exception would be hosted routers where the hosting company has also loaded an accurate and effective ACL limiting the scope of access to their own systems. There are TOO MANY cases where those restrictions weren't applied, especially for CPE for peoples internet access.
I can remember conversations about whole European ISPs that left the port wide open an used an easy to guess username and password in years gone by.
If you have to do something similar yourself, limit access to SSH only, lock it by IP and to preshared ssh keys and disable password only auth, and make your internal team map the HTTP/S ports over their SSH tunnel if they need web access.
Even loading the interface on the private side could expose you to a reflection attack from your local network, so an attacker is only a evil link away. I'd kill it off till a fix is available, and only re-enable it after a review of the access restrictions. Sadly, not in your control for CPE/managed routers and possibly not even visible to you as the subscriber. You may be able to tease info out of CDP or the serial console port even on a locked down router though, and then cane the support of your provider till they provide evidence the config is secure.
Easier for me to say as only one of my three ISP has replied so far.